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METHOD AND APPARATUS FOR SECURE REMOTE SYSTEM 

MANAGEMENT 

FIELD OF THE INVENTION 

5 The invention relates generally to methods and apparatuses for remote 

management of a system, including transferring component information to remote 
applications, remote monitoring of system health, and the ability to perform corrective 
and/or preventive actions towards system health remotely. More particularly, the 
invention relates to a method and apparatus for transferring such control and data 

10 between a computer system and a remote application securely. 

BACKGROUND OF THE INVENTION 

Robust security is imperative for network-based systems, particularly for 
applications that deal with sensitive information, to prevent unauthorized agents from 

15 intercepting, corrupting or publishing sensitive data. A suitable information security 
system must perform with minimum disruption to users to ensure that authorized users 
are neither erroneously denied access nor unduly restricted in their duties. 

Efforts exist in the server industry to develop a standard to create manageable 
hardware building blocks that share management information through a standard 

20 interface, known as the Intelligent Platform Management Interface (IPMI). This 
standard is designed to allow plug-and-play architecture for hardware management, 
thereby making possible scalable systems utilizing hardware from multiple vendors, 
while resulting in a completely manageable system. 

Remote management of the IPMI occurs through host instrumentation client 

25 applications executing on the operating system. Several existing standards, such as the 
Desktop Management Interface (DMI), Common Information Model (CIM) and Simple 
Network Management Protocol (SNMP) define frameworks to access the management 
data through the operating system-based services. Management data can also be 
accessed directly in some systems without passing through the operating system or the 

30 main system processors, which access is called "out-of-band" access, and which can 
occur via modem, serial and local area network connections. 
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The remote access mechanisms used today provide limited security, such as 
clear text password, for direct access to the hardware components. Using this access, 
critical operations may be executed (e.g., shutting down or resetting the system). 
Therefore, it is imperative to include adequate security mechanisms for this access. 

5 Unfortunately, the platform management components (i.e., the micro-controllers that act 
as service processors) are usually low-cost hardware, and typically have very low 
processing power and memory. The security infrastructure therefore must not require 
significant processing capacity and memory resources from these devices without 
compromising security. 

10 Examples of client applications that enable remote management of hardware 

components include the Intel Server Control (ISC) product and the Appliance Server 
Management (ASM) product. The ISC product allows in- and out-of-band access to the 
server. The various connection points between the console and the server are depicted 
in FIG 2. ASM provides similar functionality, the connections of which are depicted in 

15 FIG 3. 

Modest security mechanisms are provided for the ISC and ASM connections. In 
ISC, for example, a password routine protects access from the Direct Platform Control 
(DPC) console 24 to: (1) the Server Management Controllers (SMCs) 28; (2) the BIOS 
25 (and the BIOS mode is accessible only if access to the SMC is authorized, as a 

20 command to remotely reboot the system can only be issued in this mode); (3) the 
Service Partition (and the service partition mode is only accessible if the access to the 
SMC is authorized, as a command to remotely reboot to the service partition can only 
be executed in this mode). In addition, in ISC the SMC can be configured to operate in 
a "Restricted Access Mode" preventing the DPC console from executing any 

25 Reset/PowerOff commands. In ISC, direct access to the firmware can also be 

completely disabled. In ASM, access from the ASM Emergency console 32 to BIOS 33 
is protected by a password routine. In the ISC product, however, access from the 
Platform Instrumentation Control (PIC) 21 to the DMI instrumentation 27 on the 
operating system does not occur through any authorization process. This limitation 

30 originates with the DMI, which allows free access to the instrumentation. In contrast to 
the ISC, access from the ASM console 3 1 to the CIM instrumentation 35 is protected by 
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a username/password validated by the web server (IIS) on the managed Windows 
Appliance, 

An example of a service processor for interacting with client applications for 
managing hardware components is the Baseboard Management Controller (BMC), 

5 which provides a level of systems management via an external modem or a network 
adapter during all system states. This includes the powered-down, pre-boot, OS-down 
or OS-up situations. The DPC graphical user interface (GUI) communicates directly 
with the BMC. Even if the OS on the target server is operating, communications 
between the DPC and BMC do not pass through it. 

1 0 The functionality that can be achieved through this connection is the monitoring 

of hardware sensors, access to sensor configuration access to the Platform Event log, 
and the capability to reboot, power cycle or shutdown the system. Consequently, this 
connection requires that a DPC user be properly authenticated, ensuring the user is 
authorized to perform the operations. The communication over the wire must be 

15 protected against spoofing, session hijacking or replay attacks. The privacy of the data 
is not critical, as security is not compromised if an unauthorized person reads a 
command to "reboot the system." The security of the system is protected as long as 
integrity of the data is preserved.. 

To complicate matters, there are certain restrictions in this environment that 

20 impact on the ability to integrate security measures into the interface. The management 
controller employed in this environment may have a low processing capability as well 
as limited resource capability, both in terms of code size, and the available memory to 
execute the code. Moreover, the due to aforementioned processing limitation, extensive 
computations that are typical of many security schemes are not possible. 

25 The present invention is therefore directed to the problem of developing a 

method and apparatus that execute independently of the operating system for interfacing 
with hardware components via direct access from a remote device in a secure manner, 
without overly taxing the processing and memory resources of the hardware 
components. 



30 
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SUMMARY OF THE INVENTION 

The exemplary embodiments of the present invention are methods and 
apparatuses which prevent unauthorized access to hardware management information. 
A request for hardware component information to a service processor disposed in a 

5 hardware component is transmitted as an open session request from a requesting client 
application. That request is passed to the service processor, external to an operating 
system controlling the hardware component. The service processor sends challenge 
string to the requesting client application. The requesting client application then 
transmits to the service processor a challenge response. The requesting client 

10 application then receives from the service processor an authentication response, based 
on a comparison of the challenge response from the requesting client application and an 
expected challenge response calculated in the service processor. 

BRIEF DESCRIPTION OF THE DRAWINGS 
15 FIG 1 depicts an example of an environment to which the exemplary 

embodiments are applied, 

FIG 2 depicts console connection for the ISC client application. 
FIG 3 depicts console connections for the ASM client application. 
FIG 4 depicts a DPC message format as a User Datagram Protocol. 
20 FIG 5 depicts an exemplary embodiment of a method for authenticating a user 

when accessing a hardware component out-of-band. 

FIG 6 depicts an exemplary embodiment of a system to which the method of 
FIG 5 is applicable. 

25 DETAILED DESCRIPTION 

It is worthy to note that any reference herein to "one embodiment" or "an 
embodiment" means that a particular feature, structure, or characteristic described in 
connection with the embodiment is included in at least one embodiment of the 
invention. The appearances of the phrase "in one embodiment" in various places in the 

30 specification are not necessarily all referring to the same embodiment. 
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The embodiments described herein employ an authentication protocol that does 
not unduly tax a service processor located in the hardware components, but prevents 
unauthorized access to hardware management information in an out-of-band mode. In 
general, the authentication aspects of the embodiments operate as follows. 

5 Upon receipt of a request for hardware component information, which arrives in 

the form of an open session request that passes external to the operating system, the 
service processor transmits a challenge string to the requesting client application. The 
requesting client application then transmits a challenge response, which includes a 
sequence number that increments with every new message. The challenge response 

10 also includes a hash number calculated by the requesting client application, which hash 
number is a function of the challenge string, session identification number, sequence 
number and/or a password. Upon receipt of the challenge response, the service 
processor compares the challenge response to a calculated expected response to the 
challenge. The expected challenge response can be calculated in advance of receipt of 

1 5 the challenge response or as part of the response processing by the service processor. 
Based on the result of the comparison, the service processor transmits an authentication 
response to the requesting client application indicating success or failure of the 
authentication process. 

In addition to the initial authentication protocol described above, each new 

20 command from the client application includes a similar authentication to verify it is a 
proper "command. One possible implementation of this command and data 
authentication includes a hash number with every command and/or data transmitted to 
the service processor. As described above, the hash number can be a function of one or 
more of the session identification number, sequence number, password and the 

25 command and/or data. 

The security of the scheme of the embodiments stems from the secret password 
that is only known to a few authorized entities (such as administrators of the system). 
This scheme is superior to a clear text password scheme (where the password text is 
transmitted in the open), since the password is never transmitted openly on the wire. 

30 The salient security features of the scheme of the embodiments include one or 

more of the following: 
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1 . The remote application requires the knowledge of the secret password 
to generate the keyed hash (or, more accurately, the Message 
authentication code). 

2. Other malevolent entities on the wire are unable to decipher the secret 
5 password from the hash. 

3 . Other malevolent entities on the wire are unable to construct 
legitimate packets based on captured data traffic between the remote 
client and the system. 

4. Other malevolent entities on the wire are unable to replay the captured 
10 " data traffic at a later time to repeat a specific action (i.e., a replay 

attack is not possible). 

5. The integrity of the data communication is preserved. That is, should 
the content of the data packet from remote client be changed on the 
wire (intercept and modify attack), the system receiving the packet 

15 would be able to detect the change (since the hash computed will not 

match with the hash in the packet). 
Turning to FIG 1, depicted therein is a remote management application 1 
accessing an IPMI-enabled hardware component 2 directly bypassing the operating 
system 3 otherwise controlling the operation of the IPMI-enabled hardware 2, which 

20 remote management application 1 and IPMI-enabled hardware component 2 may use 
the method and apparatus of the present invention. An exemplary embodiment of a 
method for authenticating a client application ensures that this access is performed only 
by authorized users. 

The exemplary embodiment provides authentication of the requesting client 

25 application. IPMI-enabled hardware components are accessible directly via modem, 
local area network or wire connections 5, without such requests passing through the 
host operating system 3. Consequently, operating system dependent authentication 
schemes are not applicable. Moreover, as remote management client applications 1 can 
obtain information and perform service routines without informing the operating host 

30 system 3, this access must be secured. The exemplary embodiments provide sufficient 
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authentication to secure the connection without overly taxing the service processor 
tasked with implementing the authentication protocol. 

To provide adequate security using low-powered processors, an exemplary 
embodiment uses a in-built security solution in the service processor tailored to the 

5 limited resources environment of the service processor. One example of a service 
processor is a baseboard management controller (BMC). This exemplary embodiment 
employs a four-pronged authentication protocol, which prevents both unauthorized 
access and spoofing, but does not protect the privacy of data, thereby avoiding complex 
computations necessary for encryption algorithms. 

10 First, the exemplary embodiment employs a Challenge Handshake 

Authentication Protocol (CHAP)-based authentication protocol, which consists of a 
challenge, response and verification. Second, the exemplary embodiment employs a 
unique session identification number for each access session. Third, the exemplary 
embodiment employs an incrementing sequence number for each message. Fourth, the 

1 5 exemplary embodiment employs a hash calculation on one or more of the following: 
session ID, sequence number and password, which are known to the authenticating 
processor. This enables the authenticating processor to calculate the same hash and 
compare the result, thereby verifying that at least the requestor possesses the same 
knowledge, indicative of the correct identification of the user. In addition, subsequent 

20 commands and data messages are combined with a hash calculated on the transmitted 
command and/or data, as well as the other values, such as password, sequence number 
and session identification number. The combination of these features provides a 
powerful, yet readily implementable authentication routine capable of being performed 
even by relatively small capacity processors usually employed in hardware components. 

25 

Authentication Protocol (CHAP based) 

The basic protocol employed in the authentication process is based on a 
challenge, response verification technique, such as CHAP. In this protocol, DPC 
messages are sent as UDP (User Datagram Protocol) datagrams over IP (Internet 
30 Protocol) at the network layer. The DPC server (e.g., the BMC) listens on a designated 
port for serving DPC requests. All communications between the DPC Console and the 
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service processor begin with an "Open Session" command. Various fields are added to 
the DPC messages to allow establishing a secure session. 

FIG 4 depicts the message structure of the DPC message 40. The message 40 
includes Ethernet-IP-UDP Framing 41 and UDP Data 42. The UDP data 42 includes 

5 Link/Session Layer Information 43 and a DPC Command 44. The Link/Session Layer 
Information 43 includes four parts - an authentication type 45, a sequence number 46 5 a 
session Identification number (ID) 47 and a keyed hash 48. At the Link/Session Layer 
Information 43, the message contains "Authentication Type" 45 as the first field. The 
other fields (46, 47 and 48) in this layer are authentication protocol-specific. 

10 The DPC supports multiple authentication schemes to provide protection against 

sending critical service requests (for example, power control) by an unauthorized user 
over the network. The DPC authenticates a client or user prior to a session 
establishment. The DPC also authenticates each message request during the session. 
The Authentication Type employed in the exemplary embodiments includes the 

1 5 Challenge Handshake Authentication Protocol (CHAP), however, other authentication 
protocols may be used without departing from the scope of the invention. 

Authentication Type 

The embodiments employ an authentication type such as Challenge-Handshake 
20 Authentication Protocol (CHAP). CHAP is an authentication method that can be used 
when connecting to an Internet Service Provider. CHAP allows one to login to a 
provider automatically, without the need for a terminal screen. It is more secure than the 
Password Authentication Protocol (another widely used authentication method) since it 
does not send passwords in text format. 

25 

Sequence Number Incrementing 

One embodiment of the invention includes automatically incrementing the 
sequence number during a session. One implementation of the "Sequence Number" 46 
is a four-byte field. Other sizes are possible, depending upon the implementation. Four 
30 bytes should be sufficient in most instances. 



-9- 



To further protect the transmission security, the requester increments the 
sequence number 46 after sending a message. The responder incorporates the same 
sequence number 46 in its response. The sequencing of messages provides protection 
against playback attack over the network. It also avoids retransmission of the replies 
5 due to duplication of the requests in the network. A recipient ignores the duplicated 
messages silently. 

Unique Session Identification 

To further protect communications, each session is assigned a unique 
iO identification number or "session ID". The session ID47 is also a four-byte field. Other 
sizes are possible, depending upon the implementation details. Four bytes should be 
sufficient in most cases. The server or authenticator generates a unique value as session 
identifier 47, which must be maintained throughout the session. If a service processor 
receives a message with an incorrect session identifier, it ignores the message as 
1 5 discussed previously with regard to the Sequence Number 46. 

HASH 

The Keyed Hash 48 is a multi-byte field and its length varies depending on the 
algorithm used. Examples of suitable algorithms include Message Digest-2 (MD2), 

20 Message Digest-5 (MD5) and Secure Hash (?) (SHA-2). For MD2 (message digest - 2) 
algorithm, this field is 16 bytes long. 

A hash is a bit sequence created from the manipulation of another bit sequence, 
such as a password, which resulting bit sequence (or hash) can then be sent in the clear 
without fear of providing the password to an unauthorized user, thereby enabling attack 

25 on the system by an unauthorized user. Many different algorithms exist for creating a 
hash, such as MD-2 and MD-5, SHA-2, etc. Any of these algorithms may be used in the 
embodiments without departing from the invention. 

Exemplary Operation of a Session 

30 FIG 5 depicts an exemplary authentication session 50 using above the technique 

in a service processor, such as a BMC, and a remote client application environment. 
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The session is initiated when the client transmits an Open DPC Session request 51 via 
the Remote Management Application 1. 

When the client requests an Open DPC Session 51 with a CHAP-type of 
authentication scheme (identified in Authentication Type 45), the server or 
authenticator (e.g., the BMC, which is the IPMI-enabled hardware component 2 of FIG 
1) generates a challenge 52, which is sent in the clear to the requester of the Open DPC 
Session 51. The challenge 52 includes a four-byte binary "challenge string" 53 and an 
identifier or "session ID" 54 (in the Session ED field 47, see FIG 4), which are intended 
for the requester to incorporate in the response message. 

The "challenge string" 53 generated should be unique. This means, at different 

instances of the Open DPC Session 51 request, the challenge string generated should be 
different, even for the same user. The client (i.e., the remote management application), 
on reception of the response to the Open DPC Session 51 request, must send the 
challenge message as a part of the authentication handshake process. 

In response to the challenge message 52, the client returns a challenge response 
message 55, which includes the Sequence Number 46, Session ID 47, and a Keyed 
Hash 48. The Keyed Hash 48 is a function of one or more of the challenge string 53, 
the Session ID 47 and the Sequence Number 46. 

Upon receipt of the challenge message 52, the client generates a "hash" value 
using the "user-password", which is known only to the authenticator (i.e., the server) 
and, of course, the client. The hash is calculated based upon one or more of the values 
of the challenge string 53, Session ID 47 and the Sequence Number 46. At the session 
layer, the client must use the Session ED 47 sent by the server in the previous response. 

Upon receipt of the challenge response 55, the authenticator/server calculates an 
expected hash value and compares the expected hash value to the received hash value 
58 in the challenge response 55 from the client. In response to the comparison, the 
authenticator sends an authentication response 56, indicating either success or failure of 
the authentication. 

In addition to comparing the expected hash value to the received hash value, the 
authenticator/server checks the received session identification and the sequence number 
to verify the proper values have been supplied. Of course, by calculating the expected 
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hash using these same values, and comparing the expected hash to the received hash, 
the authenticator can confirm in a single step whether the proper values have been 
supplied for the session identification and the sequence number. If the sequence 
number and session identification are used to derive the hash value, along with the 
5 password, then the received hash will not match the expected hash unless all of the 
values of which the hash is a function are correct. 

If the expected hash matches the received hash 58, the authenticator sends a 
message indicating "success" of the authentication process. Otherwise, the 
authenticator responds with the "failure" message to the client. This ends the 
10 authentication process 50. 

At this point, the client may begin with the application or platform specific IPM 
requests. As already mentioned above, the messages may contain fields that are 
authentication scheme specific depending on the scheme of the authentication that has 
been requested while opening the session. These messages will always have the 
15 "authentication type" field set to that requested in the Open DPC Session 51 message- 
request. 

Moreover, each packet of data and/or commands is further verified to determine 
it contains the correct values. This is accomplished by performing a hash of the data 
packet (along with one or more other values, such as the password, session ID and 
20 sequence number) and sending the hash value along with the data packet. This enables 
the recipient (either the service processor or the client application) to determine if the 
data was received correctly and without corruption. This is described in more detail 
below. 

25 Data-Integrity Protocol 

The bottom portion of FIG 5 describes the data-integrity protocol for the rest of 
the session between the DPC console and the service processor, e.g., the BMC. 

As described in the previous section, all the DPC messages or commands 59 
contain a Hash 48, 58, 61 (which Hash changes with each message exchanged) of the 
30 message itself. The Hash 61 as part of the DPC Command 59 is performed on the 
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complete DPC message 59, which includes the message body or data 60, the session ID 
54 and the sequence number 57. 

The following is a description of the hash function. 

Keyed Hash 48 (also called Message Authentication Code): 

H K (P)-C, 

where H is the hashing algorithm, P - plain text, C - hash, K - secret key. 
One possible embodiment of the hashing algorithm is MD2 (Message Digest 2). Other 
possible implementations include MD5 or SHA-2. Other hashing algorithms are 
possible and should be selected to not unduly tax the service processor that must 
perfdrm**th*e^e"calculations, particular in the embodiments that do so on every command 
and data transmission. 

The Keyed Hash 48 prevents against the modification of the data in transit, and 
also prevents against a replay attack (since Sequence Number 46 and Session ID 47 are 
part of the Keyed Hash 48). As the Sequence Number 46 and Session ID 47 are unique, 
each Keyed Hash 48 transmitted will be unique, thereby preventing retransmission of a 
previous message. 

Next is described each of the connections to the hardware components. 

Exemplary Embodiment of System for Accessing Hardware Component 
Information 

Turning to FIG 6, an exemplary embodiment of a system 60 for accessing 
hardware component information from hardware modules 68, 69 and 70 in a computer 
64 bypasses the operating system executing on the CPU 65 of the computer 64 and 
accesses the hardware modules 68, 69 and 70 directly via a modem, local area network 
or wire connection. The computer 64 includes a CPU 65 on which an operating system 
executes that controls the operation of the computer 64, disk drive 67 and random 
access memory 66, as well as the modules 68, 69 and 70. 

Each hardware module 68, 69 and 70 includes a service processor 68b, 69b, and 
70 b, respectively, for processing these requests and a port 68a, 69a and 70a via which 
the connection to the server is made. The service processor 68b, 69b, and 70b is 
typically a relatively low-level controller, at least compared to the processor 65 
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executing the operating system in the computer 64. Consequently, the authentication 
protocol employed cannot be unduly taxing on the service processor's capacity. 

A server 61, on which is executed a remote client application 62for managing 
the hardware component information, accesses each of the service processors 68b, 69b 
and 70b, as necessary. The connection between the server 61 and the computer 64 can 
be via a network 63, such as the Internet or an intranet, or via direct modem, LAN or 
wire connection. 

The client application 62 interacts with the service processor 68b 5 69b and 70b 
in the authentication process. The service processor 68b, 69b and 70b authenticates 
requests from the client application 62 requesting access to the service processor's host 
hardware module 68, 69 and 70. These requests bypass the operating system of the 
computer 64. Each service processor 68b, 69b and 70b, in response to a request for 
access to the host hardware module 68, 69 and 70, respectively, is programmed to: (1) 
transmit a challenge string to a requesting client application 62; (2) compare a challenge 
response received from the requesting client application 62 with an expected response 
to the challenge; and (3) transmit an authentication response to the requesting client 
application 62 based on the comparison. 

During the authentication process, each of the service processors 68b, 69b and 
70b assigns a session identification number unique to each session and transmits the 
session identification number to the requesting client application 62 in the challenge 
string. In addition, each of the service processors 68b, 69b and 70b reviews the 
challenge response to determine if it contains the session identification number 
transmitted in the challenge string. Furthermore, each of the service processors 68b, 
69b and 70b compares a sequence number included in the challenge response against 
previously received sequence numbers and ignores the challenge response if it does not 
include a sequence number in correct sequence. 

In addition to the above, each of the service processors 68b, 69b and 70b 
compares a hash number received in the challenge response with an expected hash 
calculated by the service processor 68b, 69b and 70b and transmits a success or failure 
message depending upon a result of the comparison. The hash includes one or more of 
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the following: the challenge string, the session identification number, the sequence 
number and a password. 

After the initial authentication process, each of the service processors 68b, 69b 
and 70b examines each command sent by the client application 62 for one or more of 
the following: the session identification number, the sequence number and a hash 
number, wherein the hash number is a function of one or more of the following: the 
session identification number, the sequence number and the command. 

On the client side, the client application 62 transmits a request for hardware 
component information to a service processor 68b, 69b and 70b disposed in a hardware 
component s, 69 and 70, respectively, as an open session request, which request passes 
external to an operating system executing on the CPU 65 and otherwise controlling the 
hardware component 68, 69 and 70. Upon receiving a challenge string from the service 
processor 68b, 69b and 70b, the client application 62 transmits a challenge response to 
the service processor 68b, 69b and 70b. Next, the client application 62 receives an 
authentication response from the service processor 68b, 69b and 70b based on a 
comparison of the challenge response from the client application 62 and an expected 
challenge response calculated in the service processor 68b, 69b and 70b. 

The challenge string includes a session identification number assigned by the 
service processor 68b, 69b and 70b , which session identification number is unique to 
each session, and the challenge response includes the session identification number. The 
challenge response also includes a sequence number, which increments with every new 
message from the requesting client application 62. In addition, the challenge response 
includes a hash number calculated by the requesting client application 62. The hash 
number is a function of one or more of the following: the challenge string, the session 
identification number, the sequence number and a password. 

After the initial authentication session, the client application 62 transmits with 
each data and/or command packet one or more of the following: the session 
identification number, the sequence number and a keyed hash. The keyed hash is a 
function of one or more of the following: the session identification number, the 
sequence number and the data and/or command. Various combinations of the above 
values can be sent to verify the integrity of the data and/or command packet, thereby 
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preventing malicious activity based on the substitution of the data and/or command 
packet with different information. 

Summary 

5 The above embodiments provide a method and apparatus for authenticating a 

remote client application executing on a remote server by a service processor located in 
a hardware component of a large computer system, rather than having to use the main 
processors and/or operating system of the server. The access bypassing the computer 
system operating system is authenticated by the service processor by using a challenge- 
* fc lX^^^dT3TOtOT0t;*a:'unique session ID assigned by the service processor and an 

incrementing sequence number. In addition, the service processor calculates a hash of 
one or more of these values and the user's password, and compares this to a received 
hash to verify the user has transmitted the appropriate information. Furthermore, once 
the initial session is authenticated, further data and/or command packets transmitted are 
1 5 checked for their integrity using a keyed hash. This process does not unduly tax the 
service processor, and therefore allows good security without having to use the main 
server processors, to upgrade the server processors or include an additional security 
processor. 

Although various embodiments are specifically illustrated and described herein, 
20 it will be appreciated that modifications and variations of the invention are covered by 
the above teachings and within the purview of the appended claims without departing 
from the spirit and intended scope of the invention. For example, while several of the 
embodiments describe the use of a keyed hash in combination with one or more other 
values, such as sequence numbers, session identification numbers, any combination of 
25 these values may be employed without departing from the scope of the invention. In 
addition, while some of the above embodiments describe examples of algorithms used 
to calculate a hash value, any algorithm will suffice. These examples should not be 
interpreted to limit the modifications and variations of the invention covered by the 
claims but are merely illustrative of possible variations. 
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WHAT IS CLAIMED IS : 



1 LA method for preventing unauthorized access to hardware management 

2 information comprising: 

3 receiving a request for hardware component information in a service processor 

4 disposed in a hardware component as an open session request from a requesting client 

5 application, which request passed to the service processor external to an operating 

6 system controlling the hardware component; 

7 transmitting from the service processor a challenge string to the requesting client 

^r^Spp1«6nT" — 
9 receiving in the service processor a challenge response from the requesting 

10 client application; 

1 1 comparing the challenge response to an expected response to the challenge 

12 string; and 

13 transmitting hardware component information to the requesting client 

14 application. 
1 

1 2, The method according to claim 1, wherein the challenge string includes a 

2 session identification number unique to each session. 
1 

1 3, The method according to claim 1, wherein the challenge response includes a 

2 session identification number unique to each session and assigned by the service 

3 processor. 
1 

1 4. The method according to claim 1, wherein the challenge response includes a 

2 sequence number that increments with every new message. 
1 

1 5. The method according to claim 1, wherein the challenge response includes a 

2 hash number, wherein the hash number is a function of one or more of the following: 

3 the challenge string, the session identification number, the sequence number and a 

4 password. 

1 
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1 

1 6. The method according to claim 1, further comprising examining each packet 

2 received from the client application for one or more of the following; the session 

3 identification number, the sequence number and a hash number. 
1 

1 7. The method according to claim 6, wherein the hash number is a function of 

2 one or more of the following: the session identification number, the sequence number 

3 and the packet itself. 
1 

- * I- * ■ -8/ A method for preventing unauthorized access to hardware management 

2 information comprising; 

3 transmitting a request for hardware component information to a service 

4 processor disposed in a hardware component as an open session request from a 

5 . requesting client application; 

6 passing the request to the service processor external to an operating system 

7 controlling the hardware component; 

8 receiving from the service processor a challenge string at the requesting client 

9 application; 

10 transmitting to the service processor a challenge response from the requesting 

1 1 client application; and 

12 receiving from the service processor an authentication response to the requesting 

13 client application based on a comparison of the challenge response from the requesting 

14 client application and an expected challenge response calculated in the service 

15 processor. , 
1 

1 9. The method according to claim 8, wherein the challenge string includes a 

2 session identification number assigned by the service processor, which session 

3 identification number is unique to each session, and the challenge response includes the 

4 session identification number. 
1 
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1 10. The method according to claim 9, wherein the challenge response includes a 

2 sequence number that increments with every new message from the requesting client 

3 application. 
1 

1 11. The method according to claim 8, wherein the challenge response includes a 



2 hash number calculated by the requesting client application, and the hash number is a 

3 function of one or more of the following: the challenge string, the session identification 

4 number, the sequence number and a password, 
1 

o i „ . ^ -i£»--The-method according to claim 8, further comprising transmitting with 

2 each packet sent by the client application one or more of the following: the session 

3 identification number, the sequence number and a hash number, and the hash number is 

4 a function of one or more of the following: the session identification number, the 

5 sequence number and the packet itself 
1 



1 13. An apparatus for authenticating a client application requesting access to a 

2 particular component among a plurality of components, comprising: 

3 a remote access port; and 

4 / a service processor disposed in the particular component, coupled to the remote 

5 access port, and in response to a remote request for information about the particular 

6 component received as an open session request through the remote access port external 

7 to a host operating system, the service processor is programmed to: 

8 transmit a challenge string to a requesting client application; 

9 compare a challenge response received from the requesting client 

10 application with an expected response to the challenge; and 

1 1 transmit an authentication response to the requesting client application 

1 2 based on the comparison. 
1 

1 14. The apparatus according to claim 13, wherein service processor assigns a 

2 session identification number unique to each session and transmits the session 

3 identification number to the requesting client application in the challenge string. 
1 
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1 15. The apparatus according to claim 14, wherein the service processor reviews 

2 the challenge response to determine if it contains the session identification number 

3 transmitted in the challenge string. 
1 

1 16. The apparatus according to claim 13, wherein the service processor 



2 compares a sequence number included in the challenge response against previously 

3 received sequence numbers and ignores the challenge response if it does not include a 

4 sequence number in correct sequence. 
1 

.4. - — l?v -T4ie- apparatus according to claim 1 3 , wherein the service processor 

2 compares a hash number received in the challenge response with an expected hash 

3 calculated by the service processor and transmits a success or failure message 

4 depending upon a result of the comparison. 
1 



1 18. The apparatus according to claim 17, wherein the hash includes one or more 

2 of the following : the challenge string, the session identification number, the sequence 

3 number and a password. 
1 

1 19. The apparatus according to claim 13, wherein the service processor 



2 examines each packet sent by the client application for one or more of the following: 

3 the session identification number, the sequence number and a hash number, wherein the 

4 hash number is a function of one or more of the following: the session identification 

5 number, the sequence number and the packet itself 
1 



1 20. A system for accessing hardware component information from a computer, 

2 comprising: 

3 a service processor disposed in the computer; 

4 a server remotely coupled to the service processor in the computer; 

5 a client application to execute on the server, wherein the service processor 

6 authenticates requests from the client application requesting access to the service 

7 processor's host hardware module, which request bypasses an operating system of the 
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8 computer, and the service processor in response to a request for access to the host 

9 hardware module is programmed to: 

10 transmit a challenge string to a requesting client application; 

1 1 compare a challenge response received from the requesting client 

12 application with an expected response to the challenge; and 

13 transmit an authentication response to the requesting client application 

14 based on the comparison. 
1 

1 21 . The system according to claim 20, wherein each of the service processors 

" assig^a^essron identification number unique to each session and transmits the session 

3 identification number to the requesting client application in the challenge string. 
1 

1 22. The system according to claim 20, wherein each of the service processors 

2 reviews the challenge response to determine if it contains the session identification 

3 number transmitted in the challenge string. 
1 

1 23. The system according to claim 20, wherein each of the service processors 

2 compares a sequence number included in the challenge response against previously 

3 received sequence numbers and ignores the challenge response if it does not include a 

4 sequence number in correct sequence. 
1 

1 24. The system according to claim 20, wherein each of the service processors 



2 compares a hash number received in the challenge response with an expected hash 

3 calculated by the service processor and transmits a success or failure message 

4 depending upon a result of the comparison. 
1 

1 25; The system according to claim 24, wherein the hash includes one or more of 

2 the following: the challenge string, the session identification number, the sequence 

3 number and a password. 
1 
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1 26. The system according to claim 20, wherein each of the service processors 

2 examines each packet sent by the client application for one or more of the following: 

3 the session identification number, the sequence number and a hash number, wherein the 



4 hash number is a function of one or more of the following: the session identification 

5 number, the sequence number and the packet. 
1 

1 27. A method for verifying integrity of a data packet comprising: 

2 receiving the data packet in a service processor disposed in a hardware 

3 component from a client application, which data packet passes external to an operating 
■ 4 system and a system processor otherwise controlling operation of the hardware 

5 component; 

6 receiving with the data packet a keyed hash of the data packet; and 

7 comparing the keyed hash with the data packet to an expected keyed hash. 
1 

1 28. The method according to claim 27, wherein the keyed hash is a function of 

2 one or more of the following: a session identification number, a sequence number, a 

3 password and the data packet. 
1 

1 29. A method for verifying integrity of a data packet comprising: 

2 transmitting a data packet to a service processor disposed in a hardware 

3 component from a client application, which data packet passes external to an operating 

4 system and system processor otherwise controlling the hardware component; 

5 calculating a keyed hash of the data packet; and 

6 transmitting to the service processor the keyed hash along with the data packet. 
1 

1 30. The method according to claim 29, wherein the keyed hash is a function of 

2 one or more of the following: a session identification number, a sequence number, a 

3 password and the packet. 
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1 3 1 . An apparatus for preventing unauthorized access to hardware management 

2 information comprising a computer readable media having programming instructions 

3 encoded thereon, instructing a processor to: 

4 receive a request for hardware component information in a service processor 

5 disposed in a hardware component as an open session request, which request passes 

6 external to an operating system controlling the hardware component; 

7 transmit from the service processor a challenge string to the requesting client 

8 application; 

9 receive in the service processor a challenge response from the requesting client 

10 application; 

1 1 compare the challenge response to an expected response to the challenge; and 

12 transmit from the service processor an authentication response to the requesting 

1 3 client application based on the comparison. 
1 

1 32. An apparatus for preventing unauthorized access to hardware management 

2 information comprising a computer readable media having programming instruction 

3 encoded thereon instructing a processor to; 

4 transmit a request for hardware component information to a service processor 

5 disposed in a hardware component as an open session request from a requesting client 

6 application, which request passes external to an operating system controlling the 

7 hardware component; 

8 receive from the service processor a challenge string at the requesting client 

9 application; 

10 transmit to the service processor a challenge response from the requesting client 

1 1 application; and 

12 receive from the service processor an authentication response to the requesting 

13 client application based on a comparison of the challenge response from the requesting 

14 client application and an expected challenge response calculated in the service 

15 processor. 
1 



-23- 



1 33. An apparatus for verifying integrity of a data packet comprising a computer 

2 readable media having programming instructions encoded thereon instructing a 

3 processor to: 

4 receive the data packet and a keyed hash in a service processor disposed in a 

5 hardware component from a client application, which data packet and keyed hash pass 

6 external to an operating system and a system processor otherwise controlling operation 

7 of the hardware component; 

8 calculate an expected a keyed hash of the data packet; and 

9 compare the received keyed hash with the expected keyed hash. 
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ABSTRACT 

To prevent unauthorized access to hardware management information in an out- 
of-band mode, i.e., when the operating system of the hardware is not executing, a 
method and apparatus employ an authentication protocol Upon receiving a request for 
hardware component information in a service processor that is disposed in a hardware 
component, which request is received as an open session request and which request 
passes external to an operating system controlling the hardware component, the service 
processor transmits a challenge string to the requesting client application. In response 
to a challenge response received from the requesting client application, the service 
processor compares the challenge response to an expected response to the challenge. 
The expected challenge response is calculated by the service processor. Based on the 
result of the comparison, the service processor transmits an authentication response to 
the requesting client application indicating success or failure of the authentication 
process.- On the client side, in response to a challenge string from the service processor, 
the requesting client application transmits to the service processor a challenge response, 
which includes an sequence number that increments with every new message from the 
requesting client application. The challenge response also includes a hash number 
calculated by the requesting client application, which hash number is a function of the 
challenge string, session identification number, sequence number and/or a password. 
Each new packet including data and/or commands from the client application includes a 
similarly calculated hash number. 
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